European Union (Passenger Name Record Data) Regulations 2018.

• Statutory Instrument No.: 177/2018
• Published date: 29 May 2018

TABLE OF CONTENTS

Regulation

1. Citation and commencement

2. Interpretation

3. Scope

4. Passenger Information Unit (PIU)

5. Processing of PNR Data by PIU

6. Transfer of PNR data by PIU to other Member State and competent authorities

7. Exchange of PNR data with other Member States

8. Request for PNR data from Europol

9. Competent authorities

10. Obligations on air carriers regarding transfer of PNR data

11. Period of data retention and depersonalisation

12. Retention of documentation

13. Restriction of disclosure of data or documentation

14. Data protection officer

15. Functions of Data Protection Commission

16. Transfer of data to third countries

17. Offence — non-compliance by air carrier with Regulation 10

18. Offence by bodies corporate

19. Reporting of statistical information

SCHEDULE 1

Passenger name record (PNR) data

SCHEDULE 2

Serious crime

SCHEDULE 3

Competent authorities

S.I. No. 177 of 2018

EUROPEAN UNION (PASSENGER NAME RECORD DATA) REGULATIONS 2018

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 29th May, 2018.

I, CHARLES FLANAGAN , Minister for Justice and Equality, in exercise of the powers conferred on me by section 3 of the European Communities Act 1972 (No. 27 of 1972) and for the purpose of giving effect to Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 20161 , hereby make the following regulations:

Citation and commencement

1. (1) These Regulations may be cited as the European Union (Passenger Name Record Data) Regulations 2018.

(2) These Regulations come into operation on 25 May 2018.

Interpretation

2. (1) In these Regulations—

“air carrier” means an air transport provider with a valid operating licence or equivalent permitting it to carry out carriage of passengers by air;

“API data” means advance passenger information and includes the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time;

“competent authority” means an authority competent for the prevention, detection, investigation or prosecution of terrorist offences or serious crime referred to in Regulation 9;

“competent authority of another Member State” means an authority of another Member State competent for the prevention, detection, investigation or prosecution of terrorist offences or serious crime;

“data protection officer” means a person appointed as such under Regulation 14;

“depersonalised through masking out of data elements” means rendering those elements which could serve to identify directly the data subject invisible to a user;

“Directive” means Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016;

“Director” means Director of the PIU;

“extra-EU flight” means any scheduled or non-scheduled flight by an air carrier flying from a third country and planned to land in the State or flying from the State and planned to land in a third country, including in both cases flights with any stop-overs in other Member States or in third countries;

“Minister” means Minister for Justice and Equality;

“passenger” means any person, including persons in transfer or transit and excluding members of the crew, carried or to be carried in an aircraft with the consent of the air carrier, such consent being manifested by that person’s registration in the passenger’s list;

“passenger name record” or “PNR” means a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers onto flights, or equivalent systems providing the same functionalities;

“PIU” means Passenger Information Unit, being—

(a) in the case of the State, the unit established under Regulation 4, and

(b) in the case of another Member State, the PIU established or designated by that other Member State;

“PNR data” means passenger name record data listed in Schedule 1, as far as collected by air carriers;

“push method” means the method whereby air carriers transfer PNR data listed in Schedule 1 into the PNR database of the authority requesting them to do so;

“serious crime” means the offences listed in Schedule 2 that are punishable by a custodial sentence or a detention order of a maximum period of at least 3 years;

“terrorist offences” means terrorist activity or terrorist linked activity within the meaning of section 4 or an offence under section 13 of the Criminal Justice (Terrorist Offences) Act 2005 (No. 2 of 2005).

(2) A word or expression that is used in these Regulations and that is also used in the Directive has, unless the context otherwise requires, the same meaning in these Regulations that it has in the Directive.

Scope

3. These Regulations provide for—

(a) the transfer by air carriers of passenger name record (PNR) data of passengers of extra-EU flights, and

(b) the processing of the data referred to in paragraph (a), including its collection, use and retention by the PIU and competent authorities and its exchange between other Member States.

Passenger Information Unit (PIU)

4. (1) There is established, as part of the Department of Justice and Equality, a unit to be known as the Passenger Information Unit (“PIU”).

(2) The staff of the PIU shall be headed by a Director who shall be appointed by the Minister.

(3) The Director may enter into arrangements with the competent authorities designated under Regulation 9 for the secondment to the PIU of staff of the competent authorities.

(4) The Director may enter into arrangements to engage persons (on contract or otherwise) for a period of temporary service with the PIU.

(5) A staff member of the PIU or a person who is engaged by it under paragraph (4) may be designated in writing by the Director for the purpose of the performance of functions under any provision of these Regulations.

(6) The Minister shall nominate a person to perform the functions of the Director during any absence, incapacity or suspension from duty or during any vacancy in the office.

(7) The PIU shall be responsible for—

(a) collecting PNR data from air carriers, storing and processing those data and transferring those data, or the result of the processing of them, to the competent authorities, and

(b) exchanging PNR data and the result of the processing of those data with the PIUs of other Member States and with Europol in accordance with Regulations 6 and 7, respectively.

Processing of PNR Data by PIU

5. (1) The PIU shall process data only for the following purposes:

(a) carrying out of an assessment of passengers prior to their scheduled arrival in or departure from the State in order to identify persons who require further examination by a competent authority referred to in Regulation 9 and, where relevant, by Europol in accordance with Regulation 8, to determine whether such persons may be or may have been involved in a terrorist offence or serious crime;

(b) responding, on a case-by-case basis, to a duly reasoned request based on sufficient grounds from a competent authority to provide and process PNR data in specific cases for the purpose of the prevention, detection, investigation and prosecution of terrorist offences or serious crime and to provide a competent authority or, where appropriate, Europol, with the results of such processing;

(c) analysing of PNR data for the purpose of updating or creating new criteria to be used in the assessments carried out under paragraph (1)(a) in order to identify any person or persons who may be involved in a terrorist offence or serious crime.

(2) PNR data shall not be processed in such a manner as to reveal a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation. In the event that PNR data revealing such information are received by the PIU, they shall be deleted immediately.

(3) When carrying out an assessment under paragraph (1)(a) the PIU may—

(a) compare PNR data against databases relevant for the purpose of the prevention, detection, investigation and prosecution of terrorist offences or serious crime, including databases on persons or objects sought or under alert, in accordance with European Union, international and Irish law applicable to such databases, or

(b) process PNR data against pre-determined criteria.

(4) An assessment of passengers prior to their arrival in or departure from the State carried out under paragraph (1)(a) against pre-determined criteria shall be carried out in a non-discriminatory manner.

(5) Pre-determined criteria used in the assessment of passengers—

(a) shall be targeted, proportionate and specific in nature,

(b) shall be regularly reviewed in consultation with the competent authorities, and

(c) shall not, in any circumstance, be based on a person’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

(6) Where PNR data collected include data other than those listed in Schedule 1 such data shall be deleted immediately and permanently upon receipt.

(7) The storage, processing and analysis of PNR data shall be carried out exclusively within a secure location or locations within the State.

Transfer of PNR data by PIU to other Member State and competent authorities

6. (1) Where the PIU carries out an assessment of passengers under Regulation 5(1)(a) and identifies a person who requires further examination by a relevant competent authority...